Quantcast
Channel: SCN: Message List - SAP Single Sign-On
Viewing all 2732 articles
Browse latest View live

Re: Problem with SSO between EP and ECC

April 14, 2014, 9:42 am
$
0
0

Hi Anil,

 

Here is a template that explain how to get the SM50 traces.

 

1. Call transaction SM50 (process list):
2. Process -> Trace -> Reset -> Workprocess Files
3. Key combination: F5 (select all), CTRL-Shift-F7 => Dialog box;
4. Set trace level=3 and ONLY(!) check the "Security" component;

  If necessary, you must repeat these steps for each server (see
  transaction SM51), unless you can use a specific server for
  reproducing the error (for example, by excluding the load
  distribution).

 

The traces will be in the dev_wX files in the work directory

 

Get a screenshot of STRUSTSSO2, that shows the J2EE Engine certificate import into the certificate list and the ACL. I can double check for you if you imported it ok.

 

Hope this helps,
Cathal

Search

Re: SNC Error

April 14, 2014, 11:50 am
$
0
0

Hi Sriram

 

That helped me to resolve the error. Now I am getting another error

 

A2200223 Peer certificate path not trusted

 

I am using the same SNC name in my SAP GUI as provided in profile parameter 'snc/identity/as'

 

p:CN=<mySID>, OU=I0020095220, OU=SAP Web AS, OU=Server, O=SAP Trust Community, C=DE

 

This is the certificate thats generated in STRUST, in my profile paarmeter and slso in SAP GUI.

 

Can you please help me know what I am missing

 

Thanks

 

Thilip Kumar

 

Kerberized JCo from external Java applicatoin using NWSSO libraries

April 14, 2014, 12:06 pm
$
0
0


Hi everyone,

 

I am developing an external Java applicatoin that connects to SAP using JCo and would like to utilize Kerberos as our method of authentication. Can I use the NWSSO libraries to accomplish this? I've seen many examples of the connecting JCo applicatoins using X.509 certificates but none using Kerberos. What library file SNC_LIB should my JCo program use (sapcrypto.dll, secgss.dll)? Any help from someone with experience would be appreciated.

 

Thanks

Kevin Spillman

Re: SNC Error

April 14, 2014, 1:14 pm

Re: SNC Error

April 14, 2014, 1:43 pm
$
0
0

Hi,

 

Thanks Sriram.I did refer to the error code specified in the note. But couldnt go forward.Mentioned below is the profile thats being used in the Secure Login client to connect to the LDAP.

 

p:CN=<my user ID>,OU=ITD,OU=Users,OU=Users and Computers,DC=na,DC=paccar,DC=com

 

So should I use the name(mentioned above) for the SNC name in STRUST, profile parameter and in my SAP GUI?

 

I am able to connect the Secure client to Secure Server and completed the authentication part too. Now I am stuck with authenticating via SNC. This is the piece I dont clearly understand how it works

 

 

Thanks

 

Thilip Kumar

Re: Kerberized JCo from external Java applicatoin using NWSSO libraries

April 14, 2014, 2:48 pm
$
0
0

AFAIK there is no server implementation for retrieving a Kerberos ticket from the JCo connection, existing implementations use HTTP headers meaning they require a browser.

Re: SNC Error

April 14, 2014, 11:52 pm
$
0
0

Hello Thilip Kumar,

 

A2200223 Peer certificate path not trusted means:

 

The client does not trust the ABAP SNC server certifcate path. Please import the Root CA of the SNC PKI into your clients certificate store. You can extract this certificate with STRUST.

Hope this hint helps.

 

best regards

 

Alex

Re: Kerberized JCo from external Java applicatoin using NWSSO libraries

April 15, 2014, 12:40 am
$
0
0

It is possible to use an SNC library which uses a Kerberos mechanism to authenticate users and secure connections via JCo. I have used this approach many times and it works well. However, you cannot use the sapcryptolib or secgss library since these libraries do not have the necessary features to do what you want.

Search

Re: Kerberized JCo from external Java applicatoin using NWSSO libraries

April 15, 2014, 2:52 am
$
0
0

Hi Kevin,

 

Can I use the NWSSO libraries to accomplish this

 

I am not sure what you mean with NWSSO libraries. If you are using the product SAP NetWeaver Single Sign-On, you have to use the Secure Login Library. This library is supporting also Kerberos. SAPCRYPTOLIB (part of SAP NetWeaver) is supporting only certificates.

 

 

 

Regards

Matthias

Re: Kerberized JCo from external Java applicatoin using NWSSO libraries

April 15, 2014, 3:42 am
$
0
0

Hello Kevin,

 

normaly SAPJCO is used for server side applications and for that X.509 authentication is prefered for SNC.
The Secure Login Library does not active get the kerberos ticket for a given SPN, this is done in the Secure Login Client (which uses also the Secure Login Library below).

 

The Secure Login Library alone can not be used for a Kerberos based SNC with SAPJCO.

 

best regards

 

Alex

Re: Portal Java as SAML2 Identity Provider

April 15, 2014, 5:02 am
$
0
0

Dear Angel

Were you able to find a solution for your situation.

 

For us We are looking for a setup that can help us SSO for the users login in from internet devices like mobile, so we want to use SAP Logon Tickets that can cascade with Gateway and ERP subsequently

 

Currently we dont have NwSSO or SAML in place

 

Kindly let me how to setup this or if you have a better suggestion

 

Regards

Re: Kerberized JCo from external Java applicatoin using NWSSO libraries

April 15, 2014, 5:46 am
$
0
0

This was my original thought. Thanks for confirming Alex

Re: Kerberized JCo from external Java applicatoin using NWSSO libraries

April 15, 2014, 5:49 am
$
0
0

Kevin,

If you need a library that will work with Kerberos and JCo, please let me know.

Thanks

Tim

Re: Kerberized JCo from external Java applicatoin using NWSSO libraries

April 15, 2014, 7:21 am
$
0
0

Hi Kevin,

 

one additional comment:

if you are developing the Java application for a windows client, you can use an installed Secure Login Client to make SNC with kerberos over SAPJCO.

It depends on your use case if that is practical or not, its of cause not useful for server to server.

 

best regards

 

Alex

Re: SNC Error

April 15, 2014, 10:27 am
$
0
0

Thanks Alex. That worked like a charm. I had imported Root CA into my client previously, but I modified User Sub CA later and hence the issue. Once I exported and imported the latest Root CA from Secure Login Server to my client, the SSO started working perfectly fine.

 

Both Sriram's and Alex response helped me resolve my problems but however I can mark only one as 'Correct Answer'. Thank You both of you. My next challenge is to configure User Mapping piece. If any issues, I woul open a new thread.

 

Thanks

 

Thilip Kumar

Search

SAP NW SSO - SNC logon with User Password

April 15, 2014, 8:08 pm
$
0
0

Hello Experts,

 

Currently we don't have NW SSO license so we want to use SNC logon with user password in GUI-

ScreenHunter_01 Apr. 16 08.22.gif

So my question is how can we test the same, If I am login with AD user , which password do I need to supply, it's windows password or SAP password ?

 

SPN  is -

 

C:\Windows\system32>setspn -l KERBEROSED1

Registered ServicePrincipalNames for CN=KERBEROSED1,OU=Services,OU=Internal Accounts,DC=abc,DC=def:

HTTP/ancecdci1.abc.def

SAP/KERBEROSED1


I have already maintained user snc tab and SNC parameters

 

snc/identity/as                             p:CN=SAP/KERBEROSED1@xvz.com

 

SNC tab -

p:CN=ED1ADM@abc.def

 

Trust is setup between xyz.com and abc.def domain and I am testing with user <SID>adm which is created on domain abc.def but I am not able to login from windows password.

ScreenHunter_03 Apr. 16 08.33.gif

 

Please suggest.

 

Saurabh

Re: SAP NW SSO - SNC logon with User Password

April 15, 2014, 11:14 pm
$
0
0


Hi Saurabh,

 

using SNC for encryption only, you still need to log in with your SAP username and password. You can not log in with your AD username unless it is the same as the SAP user.

The kerberos configuration used for the SNC setup is purely to enable the clients to exchange the required keys for encryption.

 

 

Regards,

 

Patrick

Re: Portal Java as SAML2 Identity Provider

April 16, 2014, 1:38 am
$
0
0

Hi Khaja,

Finally we have implemented SSO with SAP Logon Tickets because both systems support this SSO mechanism.

Kind regards

Re: SAP Netweaver 7.4 spnego configuration Error

April 17, 2014, 12:50 am
$
0
0

Hello,

 

I have the same issue after upgrading my system from 7.01 to 7.40.

SPnego worked before upgrade.

 

Now, I have this :

 

LOGIN.FAILED
User: N/A
IP Address: 128.41.15.233
Authentication Stack: sap.com/SSOEAR*login
Authentication Stack Properties:
        policy_domain = /login
        realm_name = Upload Protected Area

Login Module                                                               Flag        Initialize  Login      Commit     Abort      Details
1. com.sap.security.core.server.jaas.EvaluateTicketLoginModule             SUFFICIENT  ok          false                 true      
        #1 trusteddn1 = CN=D39,OU=DSIRH,OU=DGRH,O=SAP Trust Community,C=DE
        #2 trustediss1 = CN=D39,OU=DSIRH,OU=DGRH,O=SAP Trust Community,C=DE
        #3 trustedsys1 = D39,000
        #4 ume.configuration.active = true
2. com.sap.security.core.server.jaas.SPNegoLoginModule                     OPTIONAL    ok          exception             true      SPNego authentication has failed during previous attempt.
        #1 com.sap.security.spnego.legacy = false
        #2 com.sap.spnego.creds_in_thread = true
        #3 com.sap.spnego.jgss.name = DJ1SAPSSO@EMEA.LOREAL.INTRA
        #4 com.sap.spnego.uid.resolution.attr = krb5principalname
        #5 com.sap.spnego.uid.resolution.mode = simple
3. com.sap.security.core.server.jaas.CreateTicketLoginModule               SUFFICIENT  ok          false                 true      
        #1 ume.configuration.active = true
4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule   REQUISITE   ok          false                 false     
5. com.sap.security.core.server.jaas.CreateTicketLoginModule               REQUISITE   ok          false                 true      
        #1 ume.configuration.active = true
No logon policy was applied



and authentication window appears to put my credentials.....


Can you help me ?

Regards

Re: SAP Netweaver 7.4 spnego configuration Error

April 17, 2014, 12:58 am
$
0
0

You will get better response on SCN if you open a new thread rather than adding details onto an existing thread. This thread is already marked as answered.

Viewing all 2732 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>